Phishing and email security is big business, and on Feb. 26, email security vendor PhishMe announced that it is being acquired by a private equity consortium that includes BlackRock and Pamplona Capital, valuing the company at $400 million.
As part of the acquisition, PhishMe is also being rebranded as Cofense, in a bid to better define the company’s expanded vision of providing a collaborative defense for cyber-security.
“As a co-founder, it was a difficult decision to change our name from PhishMe,” Aaron Higbee, the company’s CTO and co-founder, told eWEEK. “Our mantra is now that it is technology plus humans that we can tap into in order to defend our networks.”
PhishMe had raised $58 million in funding across three rounds of venture capital investment since the company was founded in 2011. At the time the company raised its $13M Series B round of funding in March 2015, CEO and co-founder Rohyt Belani told eWEEK that PhishMe’s goal was to positively influence employee behavior about phishing attacks.
In the last two years, PhishMe realized that it can do more than simply train users to spot potential phishing attacks, according to Higbee. He said PhishMe’s tools have been used to condition people to recognize suspicious emails and empower them to report the phishing emails, while giving security teams tools to do something about the reports.
“The things that we want to do in the near term is help security teams to remediate potential phishing attacks as quickly as possible,” Higbee said.
A number of approaches have been advocated in the cyber-security industry to mitigate the risk associated with phishing, including Domain-based Message Authentication, Reporting and Conformance. DMARC is a protocol that helps protect the integrity and authenticity of email. The U.S. government is among the backers of DMARC and is in the process of implementing it across federal agencies.
Higbee, however, doesn’t see DMARC as a particularly effective approach for preventing all forms of phishing attacks.
“While DMARC is a good technology to prevent the straight-up spoofing of a domain name in an email ‘from’ line, it hasn’t phased or slowed down attackers at all,” he said.
Business Email Compromise
An increasingly expensive form of phishing is a business email compromise (BEC) attack, in which the attacker spoofs a legitimate email business contact to trick a victim into paying a fraudulent invoice. In May 2017, the FBI’s Internet Crime Complaint Center (IC3) reported that BEC scams have led to $5.3 billion in financial losses globally since October 2013. One such recent incident was revealed on Feb. 21 by IBM Security, reporting that it discovered a BEC attack responsible for $5 million in fraud.
Higbee believes his company’s platform that enables users to report suspicious email to also be an effective tool to combat BEC attacks. Other approaches to blocking BEC typically involve simply validating known good email addresses, which Higbee said often isn’t enough.
Looking forward, Higbee said Cofense has a series of new product launches scheduled for the coming months that will further extend the company’s capabilities.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.